For Secure & Robust ICS

Archives for July 2011

The calm before the storm of Dillon’s Black Hat presentation next week. The presentation will not greatly change the risk environment for critical infrastructure ICS, but it will make a big publicity splash outside of the Automation Press. Best case is it helps push over the wall of denial and inaction that has PLC’s still vulnerable by design — even in the high-end, most modern PLC’s.

ICS-CERT published a confusing announcement on Wednesday. The title on the site is “Cross Vendor Working Group”. The title of the document is “Cross-Vendor Position Paper on ICS Security Posture“. The announcement states the paper will come out in Fall of 2011, but they are just calling for participation now? “The product of this focused effort will be a cross-vendor position paper that discusses the current security challenges and a path forward for a more effective industrywide approach to ICS security.” Is this an effort to blunt criticism / respond in advance to the likely spate of reporter questions next week?

Pike Research covers a GE / GM announcement regarding EV power usage information sharing. “The smart grid pilot program, which will start with one unannounced utility, will provide access to charging history – including location, time, and amount of energy consumed by the vehicle – and will be made available to understand how PEVs will impact the grid.” Not sure why, but this feels significant.

Jakeman Business Solutions in Australia issued a lessons learned report from Cyber Storm III that was posted on the Australian CERT site. It is hard to be too negative about an exercise like Cyber Storm since it does open some eyes and communication channels. Results for money spent would be the question. A large part of Cyber Storms is the PR. It is pre-ordained to be a success and result in a lot of positive articles.

Digital Bond released a high interaction / very realistic SCADA Honeynet a few years back. Actually a better name would be a PLC Honeynet because it appeared to be a Modicon PLC. It has a points list with realistic values from an actual PLC that can be accessed via Modbus TCP. The FTP, HTTP, Telnet and SNMP interfaces are also realistic. FYI, it is still available for free download and use.

For about 18 months we had Honeynets deployed in a substation and on the Internet. While they saw a number of attacks, they all appeared automated and none were ICS related. We saw no traffic on the Modbus TCP port, and the FTP password guessing attacks never attempted the default Modicon credentials which are easily learned via search. With the advent of Shodan, it may be worthwhile hanging a couple on the Internet and seeing if anything has changed.

In a tweet, @mtoecker was asking if this could be modified to detect Beresford or Stuxnet attacks on a Siemens S7 PLC. The answer is of course yes, but how much work would be required.

If you have a spare Siemens S7 PLC, it is very simple to modify the SCADA Honeywall, a subset of the SCADA Honeynet, to support the S7. Look at the drawing at the bottom of this page, and you will see how the Honeywall can sit in front of PLC to log activity and alert on attacks. Since this is not a valid PLC in the process, any activity would be unauthorized, but not necessarily malicious.

The other approach would be to create the simulated S7 PLC to replace the simulated Modicon PLC. The amount of work is directly related to level of interaction/realism, which is directly related to how long an attacker will be fooled by the Honeynet.

During the event Eric Byres and Joel Langill reported very positively on twitter, but they were, along with all users who attended the event, then whipsawed by the serious vulnerabilities disclosed immediately after the event.

With all this as background, I have a candid conservation with Eric about the positives and negatives from the Summit, his role and impact on the event, and what he will do differently at future User Group events.

Note: Reid Wightman recently joined Digital Bond. Previously Reid was with SEL, and his background is in embedded systems assessments.

With last week’s Langner post on just how easy the PLC is to reprogram with a logic time-bomb, I wonder: how long will it be until we see Stuxnet clones in the wild?

The answer is, ‘Maybe two years,’ in my opinion. At 27c3, FX showed how to analyze the Stuxnet PLC code (caution: swear words and disparaging remarks made towards open source), allowing for duplication of not only a timed attack, but also the input manipulation code needed to confuse operators further (as though randomly changing output data would not cause trouble enough). The ‘good stuff’ begins at about 47 minutes in.

Since all of the necessary utility functions are implemented and available for download, it seems only a matter of time before the youth start playing with packaged payloads and infection vectors, especially for Siemens equipment.

Clones need not be limited to Siemens hardware, of course. Other vendors are lucky that Siemens got hit first — and they should not waste time waiting to be hit next. No doubt the control system hacker community’s new hobby will become implementing Stuxnet-like features in ladder logic for various PLCs/RTUs/automation controllers and pressing the ‘compile’ button. I worry that incidents will need to start happening in order for vendors to wake up. Remember that, while the outcome of such an attack might just be damage (and thus difficult to capitalize upon for an attacker), early hacking was rarely done for profit…

ABC News covers a new DHS report that says the bad guys are trying to gain insider positions or access to insiders to attack the critical infrastructure. This is hardly new news, but perhaps it helps raise awareness outside of the ICS security community and may lead a C-level executive to ask or be asked pertinent questions.

The agenda is out for the 2011 ACS Conference on Sept 20 – 22 in Washington DC. Joe Weiss’s ACS conference is the longest running ICS security event. Well, that might not be technically accurate. It actually began with a conference that Joe ran for a few years when he was with EPRI and then changed a bit in 2007 when he formed his own company, ACS. Joe has been putting on an event for eleven years now that myself and many in the industry call WeissCon.

Last year the event was blessed with perfect timing, and it had the first major presentation on Stuxnet by Ralph Langner. It seems impossible now, but it was a gutsy decision for Joe to allow this presentation. At that time Ralph had blogged on the fingerprinting and PLC changes, we had written some blog entries highlighting and supporting Ralph’s findings, but almost every other news source was either ignoring the news or was afraid to touch it. This was despite the data was quite clear. Even the other blogs in this space and the Automation Press wouldn’t touch the story in fear of being called crazy or getting Siemens upset.

WeissCon 2010 gave Ralph all the time he needed to explain Stuxnet to the audience, and the story exploded from there over the next few weeks to every major news outlet.

This year’s agenda includes presentations from:

those who have found vulnerabilities such as Langner, Beresford, and Udassin

the SCADASEC boys

some of the smart guys in the vendor space like Hegrat, Braendle and Microsoft’s Sullivan

Guest Blogger Andrew Ginter is the Director of Industrial Security for Waterfall Security Solutions. Prior to joining Waterfall he wrote the popular Control System Security blog.

Eric Byres recent post claiming the #1 ICS and SCADA Security Myth is protection by air gaps struck a cord with me. I have been thoroughly distracted of late with my new role at Waterfall Security Solutions but even so I could not let this one go by. Old-school air gaps are still used occasionally, in the most sensitive control systems. The rest of the time, technologies like data diodes or unidirectional gateways provide the the most important benefits of truly air gapped control systems, while still permitting businesses to profit from access to the real-time data produced by their control systems. (FD: Waterfall Security Solutions makes and sells unidirectional gateways tailored for the ICS market)

True Air Gaps

Old-school air gaps are still used routinely, in very sensitive installations, in classified government installations, and in very cautious installations. For example, the water sector still uses air gaps routinely, and many sectors use true air gaps to isolate safety systems. The benefits of true air gaps are clear – absolute protection from certain classes of network-based threats. If you have a true air gap – complete disconnection of some or all of your control network from any external network – then that system is invulnerable to distributed denial of service attacks, remote control attacks, worms and any other network-based attack originating on an external network, including the Internet.

The cost of true air gaps are clear as well – limited access to real-time data. I remember the mid 1990’s when most process industries were connecting their real time systems to Enterprise Resource Planning (ERP) systems like SAP. Simple applications with fancy names were being installed, which took advantage of real-time access to raw material inventories, finished goods inventories, product quality data and equipment usage data. The motive was clear – generally 3-8% cost savings at a large facility. By now most sites have deployed this kind of applications and are seeing cost savings as a result, and sometimes revenue benefits as well. No site is willing to give up these benefits.

Access to real-time data has real value. If you “pull the plug” on the connection(s) to the corporate network, control systems generally continue to run safely, indefinitely — but few of those sites can make money any more. Access to real-time data is essential to profitability.

Most Important Benefits

The good news: it is possible to enjoy both the most important security benefits of true air-gaps, and the most important business benefits of access to real-time data. Many sites, both air-gapped and not, are turning to unidirectional technologies for these benefits.

We received a Black Hat promo email this week. The first highlight in early press was Beresford’s Exploiting Siemens Simatic S7 PLCs presentation. Whatever is said in that presentation is going to get widespread press coverage outside the Automation Press.

Critical Intelligence provides reports and other information products on Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.[Read more…]

WatchGuard Technologies, a vendor producing firewall and other more full feature perimeter security solutions, issued a press release yesterday highlighting their SCADA IDS / IPS signatures for the XTM series of firewalls.

Tim Helming, Director of Product Management at WatchGuard comments:

“Historically, OT networks ran autonomously or were completely disconnected from IT protection and control, however, as OT and IT networks converge, legacy OT networks become vulnerable to hackers and viruses. Now, WatchGuard is providing the same levels of advanced intrusion prevention, malware protection and granular management used in enterprise environments to secure key industrial and infrastructure networks.”

After a bit of searching on the signatures, it looks like they are a WatchGuard created subset of the Luigi vulnerability signatures written by Emerging Threats Pro / Nitro Security and available free of charge in our Quickdraw SCADA IDS package. You will see signatures for Siemens, IGSS, Datac, Iconics and probably others. There are not general protocol signatures such as Modbus or DNP3.

Most of the signatures show a date of March 28th, so it is unclear why the press release is coming out now. Are there additional signatures not listed in their database or is it just marketing catching up?

WatchGuard is in a tough spot with market share. We typically recommend going with market leaders, in this case Checkpoint, Cisco or Juniper, unless there is a compelling technical benefit to go with a smaller competitor, in this case an argument could be made for Palo Alto Networks. Unfortunately these signatures don’t put WatchGuard in either of those recommended categories, even though it likely would do a fine job as a perimeter security / SCADA firewall solution.

Industrial Defender, an ICS security products and services vendor, issued a press release announcing three new security services for power plants: Monitor, Manage and Protect. What is novel about the offering is the pricing model. Pricing is based on the megawatts of rated capacity per power generation site, although no numbers were released.

Brian Ahern, president and CEO at Industrial Defender comments:

“Power generators, whether focused on the coal, hydroelectric, petroleum, nuclear or natural gas markets, require solutions that support sustainable security and compliance, while enabling operational excellence. Our new model enables these organizations to identify and procure solutions based on the needs of a specific site – rather than force-fit IT technology & pricing into the automation environment.”

The information available on the Monitor, Manage and Protect service was very limited. Reading between the lines:

Monitor: A SIEM or MSSP service that monitors IDS, performance statistics, some logs and ID’s agents.

Manage: Is Monitor plus some compliance management related to security patches, configuration, users and more logs.

Protect: Is Manage plus Host IDS/IPS, which would likely be the CoreTrace offering they OEM.

More on this as details are unveiled.

DP Note: Will Marks will be blogging on new announcements of ICS security products and services. Vendors should send pertinent press releases to marks (at) digitalbond.com

Dale's Tweets

About Us

Digital Bond was founded in 1998 and performed our first control system security assessment in the year 2000. Over the last sixteen years we have helped many asset owners and vendors improve the security and reliability of their ICS, and our S4 events are an opportunity for technical experts and thought leaders to connect and move the ICS community forward.